By James McKenna, head of Infrastructure & Administrative Systems, Morrison & Foerster
There has never been more concern around cyber security than now. We frequently read about people, entities and nations either accused of or victim to cyber attacks. It is no longer a trend; it is the new norm.
‘Patching’ used to be an acceptable standard for cyber security. But, because of concerns about cyber attacks, clients have been applying a lot of pressure on their professional service providers to ensure their data is safe. Firms are now bringing experts in house, reallocating budgets and actively engaging with third parties to help prove that their systems and processes can defend against hostile threats.
But, besides being a defensive resource, what can cyber security do for us? Perhaps it can also be a business generation tool. In physics, every action has an equal and opposite reaction; that reaction also causes another reaction. The same principals could be applied to business.
The regulatory requirements that apply to financial organisations are also being applied to their service providers. Call it regulation by proxy; it is a time of rapid evolution and law firms must expertly solve the tough problem of consistently maintaining ever-increasing security requirements, while simultaneously delivering world-class services.
A few financial institutions seem to be leaders of the pack. They are very well organised and in tune with regulatory needs, and expertly present what is required to their service providers. They clearly specify their expectations, work with their service provides to ensure the implemented solutions are in place and frequently spot check.
To meet these needs, law firms are reallocating internal resources, reprioritising projects, concurrently bringing forth new solutions and eliminating older or less secure options. Some of these changes are invisible to lawyers; others result in lawyers having to work differently than in the past, experience less flexibility and be aware of what would happen if client data was lost. Is it all worth it? It most certainly is because, if clients’ needs are not met, they will take their business to competitors.
Presently, many law firms are adjusting their internal practices because they have to. But, the truly creative and talented will soon adjust their internal practices because they want to. Rather than looking at this as complying with clients’ needs, what if we interpret it as our industry’s best practice and effectively create a service standard that exceeds it?
The law firm that can prove and deliver a good working mix of expertise, service and cyber security will have an incredible market advantage over its peers. With that competitive advantage comes the opportunity for growth in a flat market, better leverage of existing internal talent and assets, and the ability to trim costs as various processes are standardised and automated.
How can that competitive advantage be achieved? Probably the best way is to break it up into discreet and actionable steps. Cyber security is not a ‘one thing’ type of problem; it has many layers and their applicability may change at different points in time, phases of engagement or locales. Cyber security is also an evolutionary mechanism that needs to adapt to changing variables.
Some key cyber security objectives that are interrelated but distinct include:
securing client data;
controlling access and capability to work with client data;
managing internal workflows to get client data into the correct repositories;
complying with international data management requirements;
enabling access to client data via mobile solutions;
automating the creation, securement (both at inception and ongoing) and ultimate elimination of client data;
creating an audit trail of data management;
establishing processes around infractions, breaches and mistakes;
eliminating, upgrading or modernising older technologies; and
educating staff and partners about the firm’s cyber security solution.
What would that competitive advantage look like? There are three objective and actionable options which are not mutually exclusive. A firm might market its expertise in verticals with premier security requirements or automate processes to reduce expenses and risks. Or, it might further strengthen the relationship between the firm and its clients so that they know that their data is verifiably well managed.
Cyber security requires all of us to work differently. The question is whether your firm will do so in a way that is advantageous to it.